DocumentCode
3387355
Title
Clustering IDS alarms with an IGA-based approach
Author
Wang, Jianxin ; Cui, Baojiang
Author_Institution
Sch. of Informatin, Beijing Forestry Univ., Beijing, China
fYear
2009
fDate
23-25 July 2009
Firstpage
586
Lastpage
590
Abstract
Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms, most of which are false positives. Klaus Julisch put forward a clustering method effectual of eliminating false positives and finding root causes. But he proved that the clustering problem is unfortunately NP-complete. In this paper, an immune genetic algorithm is proposed to conquer the NP-complete clustering problem. The ad hoc strategy of generating antibodies and computing their density is proposed. The coding scheme and genetic operations including selection, crossover, and mutation are discussed in detail. The IGA´s local searching ability is improved by combining it with discrete gradient method. The results obtained by several tests are quite encouraging, including that the immune operator contributes much to solve the problem of premature convergence. Compared to a simple GA-based algorithm, the IGA-based one is able to generate higher-quality clusters within shorter period of time.
Keywords
computational complexity; genetic algorithms; gradient methods; pattern clustering; search problems; security of data; IDS alarm clustering; IGA-based approach; NP-complete clustering problem; ad hoc strategy; coding scheme; crossover operation; discrete gradient method; immune genetic algorithm; intrusion detection system; local search; mutation operation; selection operation; Clustering algorithms; Clustering methods; Convergence; Genetic algorithms; Genetic mutations; Gradient methods; Humans; Immune system; Intrusion detection; Testing;
fLanguage
English
Publisher
ieee
Conference_Titel
Communications, Circuits and Systems, 2009. ICCCAS 2009. International Conference on
Conference_Location
Milpitas, CA
Print_ISBN
978-1-4244-4886-9
Electronic_ISBN
978-1-4244-4888-3
Type
conf
DOI
10.1109/ICCCAS.2009.5250447
Filename
5250447
Link To Document